Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-03-19 13:36:15 -04:00
Code Issues Packages Projects Releases Wiki Activity

terraform-provider: document MAA patching more prominently (#3330)

Browse Source
This commit is contained in:
Moritz Sanft 2024-08-29 15:50:26 +02:00 committed by GitHub
parent c11631ec11
commit 8555bd00a9
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 16 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
terraform-provider-constellation/docs/data-sources/attestation.md
View File

@ -42,7 +42,8 @@ See the [full list of CSPs](https://docs.edgeless.systems/constellation/overview
### Optional
- `insecure` (Boolean) DON'T USE IN PRODUCTION Skip the signature verification when fetching measurements for the image.
- `maa_url` (String) For Azure only, the URL of the Microsoft Azure Attestation service
- `maa_url` (String) For Azure only, the URL of the Microsoft Azure Attestation service. The MAA's policy needs to be patched manually to work with Constellation OS images.
See the [Constellation documentation](https://docs.edgeless.systems/constellation/workflows/terraform-provider#quick-setup) for more information.
### Read-Only

2
terraform-provider-constellation/examples/full/azure/main.tf
View File

@ -80,6 +80,8 @@ data "constellation_attestation" "foo" {
csp = local.csp
attestation_variant = local.attestation_variant
image = data.constellation_image.bar.image
# Needs to be patched manually, see:
# https://docs.edgeless.systems/constellation/workflows/terraform-provider#quick-setup
maa_url = module.azure_infrastructure.attestation_url
}

14
terraform-provider-constellation/internal/provider/attestation_data_source.go
View File

@ -98,8 +98,9 @@ func (d *AttestationDataSource) Schema(_ context.Context, _ datasource.SchemaReq
"attestation_variant": newAttestationVariantAttributeSchema(attributeInput),
"image": newImageAttributeSchema(attributeInput),
"maa_url": schema.StringAttribute{
MarkdownDescription: "For Azure only, the URL of the Microsoft Azure Attestation service",
Optional: true,
MarkdownDescription: `For Azure only, the URL of the Microsoft Azure Attestation service. The MAA's policy needs to be patched manually to work with Constellation OS images.
See the [Constellation documentation](https://docs.edgeless.systems/constellation/workflows/terraform-provider#quick-setup) for more information.`,
Optional: true,
},
"insecure": schema.BoolAttribute{
MarkdownDescription: "DON'T USE IN PRODUCTION Skip the signature verification when fetching measurements for the image.",
@ -125,6 +126,15 @@ func (d *AttestationDataSource) ValidateConfig(ctx context.Context, req datasour
)
return
}
if !data.MaaURL.IsNull() {
resp.Diagnostics.AddAttributeWarning(
path.Root("maa_url"),
"Ensure that the MAA's policy is patched", "When MAA is used, please ensure the MAA's policy is patche properly for use within Constellation. See https://docs.edgeless.systems/constellation/workflows/terraform-provider#quick-setup for more information.",
)
return
}
if data.AttestationVariant.Equal(types.StringValue("azure-sev-snp")) && data.MaaURL.IsNull() {
tflog.Info(ctx, "MAA URL not set, MAA fallback will be unavailable")
}